Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer program product for providing access to data storage services in a network environment, wherein the computer program product comprises a computer readable storage medium having program instructions embodied therewith that when executed cause operations, the operations comprising: providing multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source; providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data; receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag; validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related; in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
This invention relates to a system for managing multi-tenant data storage and access in a network environment. The problem addressed is the need to securely and efficiently manage data access across multiple clients, tenants, and users while ensuring proper data isolation and processing. The system provides a structured framework for organizing and controlling access to data sources in a multi-tenant environment. The system stores multi-tenancy information that maps clients to tenants, tenants to data sources, and data sources to authorized users. Each user is assigned an isolate tag, which includes identifiers for the client, tenant, and data source they are permitted to access. When a user requests data, they submit the isolate tag, which the system validates by checking if the client, tenant, and data source relationships are valid according to the stored multi-tenancy information. Upon validation, the system determines a processing pipeline associated with the tenant, which defines a series of data processing services to apply to the requested data. These services are then executed on the data before it is provided to the user. This approach ensures that data access is properly controlled and that the correct processing steps are applied based on tenant-specific configurations. The system enhances security, scalability, and manageability in multi-tenant data storage environments.
2. The computer program product of claim 1 , wherein the user access request includes user authentication information, wherein the at least one user indicated for each of the at least one data source in the multi-tenancy information indicates user authentication information of the user, wherein the validating the user access request comprises: determining whether the user authentication information provided with the user access request satisfies the user authentication information in the multi-tenancy information.
This invention relates to a computer program product for managing user access to multiple data sources in a multi-tenant system. The problem addressed is ensuring secure and authenticated access to data sources while maintaining proper user permissions across different tenants. The system validates user access requests by comparing authentication information provided by the user with stored authentication details in multi-tenancy information. The multi-tenancy information includes user authentication data for each user associated with one or more data sources. When a user submits an access request, the system checks whether the provided authentication information matches the stored credentials in the multi-tenancy data. If the authentication information matches, the user is granted access to the requested data source; otherwise, access is denied. The invention ensures that only authorized users can access specific data sources by verifying authentication credentials against stored multi-tenancy data. This approach enhances security by preventing unauthorized access while maintaining proper user permissions across different tenants in a shared environment. The system dynamically checks authentication information for each access request, ensuring real-time validation and access control.
3. The computer program product of claim 1 , wherein the user access request is validated in response to: determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request; determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
This invention relates to a computer program product for managing access control in a multi-tenant system. The system addresses the challenge of securely validating user access requests in environments where multiple clients, tenants, and data sources must be isolated while ensuring proper authorization. The program validates user access requests by verifying hierarchical relationships between users, data sources, tenants, and clients. Specifically, it checks whether the requesting user is assigned to a data source, whether that data source is assigned to a tenant, and whether that tenant is assigned to a client. These assignments are verified against multi-tenancy information stored in the system, using tags embedded in the access request to identify the relevant data source, tenant, and client. The validation ensures that users can only access data sources they are explicitly authorized to access, while maintaining isolation between different clients, tenants, and data sources. This hierarchical validation process prevents unauthorized access and enforces strict access control policies in multi-tenant environments.
4. The computer program product of claim 1 , wherein the user access request comprises a write request to write data, wherein the applying the data processing services specified in the determined processing pipeline to the data subject to the user access request further comprises: writing the write data to the data source identified by the data source tag in the isolate tag.
This invention relates to a computer program product for managing data access and processing in a secure and isolated manner. The technology addresses the problem of ensuring controlled and auditable data access while applying specific processing services to data based on user requests. The system involves a method for handling user access requests, where each request is associated with a processing pipeline that defines a sequence of data processing services to be applied. The processing pipeline is determined based on metadata tags, including an isolate tag that specifies a data source and a processing tag that identifies the required processing services. When a user submits a write request to modify data, the system applies the specified processing services to the write data before writing it to the designated data source. This ensures that data is processed according to predefined rules before storage, enhancing security and compliance. The invention also includes mechanisms for validating the processing pipeline and ensuring that the data source is correctly identified for the write operation. The overall system provides a structured approach to data handling, where access and processing are tightly controlled through metadata-driven workflows.
5. The computer program product of claim 4 , wherein the writing the write data further comprises: writing the isolate tag with the write in the user access request in the data source identified by the data source tag in the isolate tag.
This invention relates to data management systems, specifically methods for handling user access requests to data sources while ensuring data isolation. The problem addressed is the need to securely manage write operations to data sources in a way that prevents unauthorized access or modification of data, particularly in multi-user or shared data environments. The invention involves a computer program product that processes user access requests to write data to a data source. The system includes an isolate tag associated with the write operation, which contains a data source tag identifying the specific data source where the write operation should occur. The isolate tag ensures that the write data is only written to the designated data source, preventing accidental or unauthorized writes to other data sources. The system also includes a user access request that specifies the write data and the isolate tag, ensuring that the write operation is performed in a controlled and isolated manner. The invention further includes a data source that receives the write data and the isolate tag, processes the request, and writes the data only to the specified data source. This ensures that the data integrity and isolation are maintained, reducing the risk of data corruption or unauthorized access. The system may also include additional mechanisms to verify the authenticity and authorization of the user access request before performing the write operation, further enhancing security. This approach is particularly useful in environments where multiple users or systems interact with shared data sources, such as cloud computing, distributed databases, or collaborative applications. By enforcing strict isolation through the isolate tag, the invention ensures that write operations are p
6. The computer program product of claim 1 , wherein the multi-tenancy information comprises a hierarchical relationship of clients to tenants, tenants to data sources, and data sources to tenants, wherein a user assigned to a higher level in the hierarchical relationship than a data source, including a client or tenant, is permitted to access all data sources assigned to the client or tenant to which the user is assigned, wherein the user assigned to a client is permitted to access all data sources assigned to at least one tenant assigned to the client to which the user is assigned.
This invention relates to a multi-tenancy system for managing access to data sources in a hierarchical structure. The system addresses the challenge of securely organizing and controlling access to data across multiple clients and tenants, ensuring that users have appropriate permissions based on their assigned level in the hierarchy. The system defines a hierarchical relationship where clients are at the highest level, followed by tenants, and then data sources. A user assigned to a higher level, such as a client or tenant, can access all data sources under their assigned level. For example, a user assigned to a client can access all data sources linked to any tenant under that client. Similarly, a user assigned to a tenant can access all data sources assigned to that tenant. This hierarchical structure ensures that permissions are inherited downward, simplifying access control while maintaining security. The system also allows for flexible assignment of data sources to tenants and clients, enabling dynamic adjustments to access permissions as organizational structures change. This ensures that users only access data they are authorized to view, reducing the risk of unauthorized data exposure. The hierarchical model streamlines administration by reducing the need for individual permission assignments, making it scalable for large organizations with complex data access requirements.
7. The computer program product of claim 1 , wherein all user access requests to data in data sources must include an isolate tag in order to be processed, wherein users cannot access data sources not indicated in the isolate tag presented by the user.
This invention relates to a computer program product for controlling data access in a system with multiple data sources. The problem addressed is the need to restrict user access to specific data sources while preventing unauthorized access to other data sources. The solution involves requiring an isolate tag in all user access requests to data sources. The isolate tag specifies which data sources the user is permitted to access. When a user submits a request, the system checks the isolate tag to determine if the requested data source is listed. If the requested data source is not included in the isolate tag, the request is denied. This ensures that users can only access data sources explicitly indicated in their isolate tag, preventing unauthorized access to other data sources. The system enforces this restriction by validating the isolate tag against the requested data source before processing the request. This approach enhances data security by limiting access to only the permitted data sources, reducing the risk of unauthorized data exposure. The invention is particularly useful in environments where strict data isolation is required, such as multi-tenant systems or applications handling sensitive information.
8. The computer program product of claim 1 , wherein at least one user is provided multiple isolate tags including at least one of different data source tag, tenant tag, and client tag to provide access to different data sources.
This invention relates to a computer program product for managing data access in a multi-tenant or multi-client environment. The system addresses the challenge of securely isolating and controlling access to different data sources, tenants, or clients within a shared computing environment. The invention provides a method for assigning multiple isolate tags to at least one user, where these tags include at least one of a data source tag, tenant tag, or client tag. These tags determine which data sources or subsets of data the user can access. The tags ensure that users are restricted to only the data they are authorized to view, preventing unauthorized access across different data sources, tenants, or clients. The system dynamically applies these tags to enforce access control policies, allowing for flexible and scalable data isolation. The invention improves security and data privacy by ensuring that users can only interact with the data sources or tenants they are explicitly permitted to access, reducing the risk of data breaches or unauthorized data sharing. The solution is particularly useful in cloud computing, enterprise software, or any environment where multiple users or organizations share a common infrastructure but require strict data separation.
9. The computer program product of claim 1 , wherein at least two processing pipelines associated with different tenants specify different data processing services.
This invention relates to computer systems and more specifically to managing and processing data for multiple users or organizations, known as tenants, within a shared computing environment. The problem addressed is efficiently and distinctly processing data for these different tenants. The computer program product comprises a set of instructions stored on a non-transitory computer-readable medium. When executed by a computer, these instructions configure the system to establish and manage multiple processing pipelines. Each processing pipeline is associated with a specific tenant. Crucially, at least two of these distinct processing pipelines are configured to utilize and perform different data processing services. This means that one tenant's data might be processed for analytics, while another tenant's data is processed for real-time reporting, or any other combination of distinct data processing functions, all within the same underlying system through separate pipelines.
10. The computer program product of claim 1 , wherein for a write operation for write data provided with the user access request to write, a processing pipeline for the tenant indicated in the isolation tag applies the data processing services defined by the determined processing pipeline to the write data to write to the data source identified by the data source tag in the isolate tag.
This invention relates to a multi-tenant data processing system that isolates and processes data based on tenant-specific configurations. The system addresses the challenge of securely managing and processing data from multiple tenants in a shared environment while ensuring data isolation and applying tenant-specific processing rules. The system uses an isolation tag associated with a user access request to identify the tenant and determine the appropriate processing pipeline for that tenant. For write operations, the system applies the tenant-specific data processing services defined in the processing pipeline to the write data. The processing pipeline includes services such as data validation, transformation, encryption, or other operations tailored to the tenant's requirements. The data is then written to a data source identified by a data source tag within the isolation tag, ensuring that the data is stored in the correct location while maintaining isolation between tenants. The system dynamically applies the correct processing pipeline based on the tenant's configuration, ensuring that each tenant's data is processed according to their specific rules without interference from other tenants. This approach enhances security, compliance, and flexibility in multi-tenant environments.
11. The computer program product of claim 10 , wherein the user access request is to read requested data, wherein the processing pipeline for the tenant indicated in the isolate tag reads the requested data from the data source identified by the data source tag and applies the data processing services defined by the determined processing pipeline to the read requested data from the data source indicated in the isolate tag.
This invention relates to a computer program product for managing data access and processing in a multi-tenant environment. The system addresses the challenge of securely and efficiently handling user requests for data while ensuring proper isolation and processing based on tenant-specific configurations. When a user submits a read request for specific data, the system identifies the tenant associated with the request through an isolate tag. The system then retrieves the requested data from a designated data source, which is also specified by a data source tag. A processing pipeline, predefined for the tenant, is applied to the retrieved data. This pipeline includes a series of data processing services that transform or analyze the data according to the tenant's requirements. The system ensures that each tenant's data and processing logic remain isolated from others, maintaining security and operational integrity. The invention optimizes data handling by dynamically applying the appropriate processing steps based on tenant-specific configurations, reducing manual intervention and improving efficiency. This approach is particularly useful in cloud-based or shared infrastructure environments where multiple tenants require customized data processing workflows.
12. A system for providing access to data storage services in a network environment, comprising: a processor; a multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source; and a computer readable storage medium having program instructions embodied therewith that when executed cause operations, the operations comprising: providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data; receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag; validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related; in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
A system provides secure, multi-tenant access to data storage services in a network environment. The system addresses challenges in managing data access across multiple clients, tenants, and users while ensuring proper authorization and data processing. The system includes a processor and a storage medium with program instructions. Multi-tenancy information is stored for multiple clients, where each client is associated with one or more tenants, each tenant is linked to one or more data sources, and each data source has assigned users with permitted access. When a user requests data, they provide an isolate tag containing a client identifier, tenant identifier, and data source identifier. The system validates the request by checking if the client, tenant, and data source are correctly related in the multi-tenancy information. If validated, the system determines a processing pipeline specific to the tenant, which defines a series of data processing services to apply to the requested data. The system then applies these services to the data before providing access. This approach ensures secure, role-based access control and consistent data processing for each tenant.
13. The system of claim 12 , wherein the user access request is validated in response to: determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request; determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
A system for managing access to data in a multi-tenant environment ensures secure and hierarchical validation of user requests. The system validates user access requests by verifying the user's assignment to a specific data source, which is further linked to a tenant, and the tenant is assigned to a client. The validation process involves checking an isolate tag associated with the user access request, which contains data source, tenant, and client tags. The system cross-references these tags with multi-tenancy information to confirm the user's permissions. This hierarchical validation ensures that users can only access data sources they are explicitly assigned to, and those data sources must belong to a tenant that is assigned to a client. The system enforces strict access control by maintaining a structured relationship between users, data sources, tenants, and clients, preventing unauthorized access across different levels of the multi-tenant architecture. This approach enhances security and data isolation in environments where multiple clients, tenants, and users share infrastructure while maintaining distinct access boundaries.
14. The system of claim 12 , wherein the operations further comprise: writing the isolate tag with write data in a write access request to the data source identified by the data source tag in the isolate tag.
Data storage systems. This invention addresses the need to efficiently manage and access data within a system that utilizes isolate tags for data identification and access control. The system operates by performing write operations on a data source. Specifically, when a write access request is initiated, the system includes an operation to write data. This write operation is directed to a data source that has been identified by a data source tag. Crucially, this data source tag is itself contained within an isolate tag. Therefore, the system writes specific write data to the designated data source, utilizing the isolate tag to both identify the data source and potentially provide access context or permissions for the write operation.
15. The system of claim 12 , wherein at least two processing pipelines associated with different tenants specify different data processing services.
A system for multi-tenant data processing involves multiple processing pipelines, each dedicated to a different tenant. These pipelines handle data processing tasks for their respective tenants, ensuring isolation and customization. The system allows at least two of these pipelines to specify different data processing services, enabling tailored workflows for each tenant. This customization may include variations in data transformation, analysis, or storage services, depending on the tenant's requirements. The system ensures that each tenant's data is processed independently, with no interference between pipelines. This approach supports diverse processing needs across tenants while maintaining security and performance. The system may integrate with external services or APIs to extend functionality, allowing tenants to incorporate specialized tools or algorithms into their pipelines. By dynamically configuring processing services, the system adapts to evolving tenant demands without requiring system-wide changes. This flexibility is particularly useful in cloud-based or multi-tenant environments where tenants have distinct processing requirements. The system may also include monitoring and management features to track pipeline performance and resource usage, ensuring efficient operation. Overall, the system provides a scalable and customizable framework for multi-tenant data processing, addressing the challenge of accommodating diverse processing needs in a shared infrastructure.
16. A method for providing access to data storage services in a network environment, comprising: providing multi-tenancy information for a plurality of clients, wherein for each client of the clients, the multi-tenancy information indicates at least one tenant assigned to the client, and for each of the at least one tenant assigned to a client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source; providing to a user an isolate tag to use when accessing data in a data source, wherein the isolate tag includes a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data; receiving from the user the isolate tag with a user access request to data in a data source, wherein the isolate tag indicates the client tag, tenant tag, and data source tag; validating the user access request by determining whether the multi-tenancy information indicates that the client, tenant, and data source identified by the client tag, the tenant tag, and the data source tag, respectively, in the isolate tag, are related; in response to the validating the user access request, determining a processing pipeline associated with the tenant identified by the tenant tag in the isolate tag, wherein the processing pipeline specifies a series of data processing services to apply to data for the tenant; and applying the data processing services specified in the determined processing pipeline to the data subject to the user access request.
This invention relates to a method for managing access to data storage services in a multi-tenant network environment. The problem addressed is ensuring secure and organized access to data across multiple clients, tenants, and users while applying tenant-specific data processing pipelines. The method involves maintaining multi-tenancy information that maps clients to tenants and tenants to data sources, along with user permissions for each data source. When a user requests access to data, they provide an isolate tag containing identifiers for the client, tenant, and data source. The system validates the request by checking if the client, tenant, and data source are correctly related in the multi-tenancy information. If validated, the system retrieves a processing pipeline associated with the tenant, which defines a series of data processing services to apply to the tenant's data. The system then applies these services to the requested data. This approach ensures that users only access authorized data and that data is processed according to tenant-specific workflows, improving security and data management in multi-tenant environments.
17. The method of claim 16 , wherein the user access request is validated in response to: determining that the user submitting the user access request is assigned to a data source in the multi-tenancy information identified by the data source tag in the isolate tag with the user access request; determining that the data source to which the user is assigned is assigned to a tenant in the multi-tenancy information identified by the tenant tag in the isolate tag with the user access request; and determining that the tenant to which the data source is assigned is assigned to a client in the multi-tenancy information identified by the client tag in the isolate tag with the user access request.
This invention relates to a multi-tenancy access control system for validating user requests to access data sources. The system addresses the challenge of securely managing access in environments where multiple clients, tenants, and data sources must be isolated while ensuring users can only access authorized resources. The method involves validating a user access request by checking hierarchical relationships in multi-tenancy information. First, it verifies that the requesting user is assigned to a specific data source identified by a data source tag in an isolate tag accompanying the request. Next, it checks that the data source is assigned to a tenant, as specified by a tenant tag in the isolate tag. Finally, it confirms that the tenant is assigned to a client, as indicated by a client tag in the isolate tag. Only if all these hierarchical validations pass is the user access request granted. This ensures strict enforcement of access controls across multiple layers of tenancy, preventing unauthorized access to data sources, tenants, or clients. The system dynamically enforces these relationships to maintain security and isolation in multi-tenant environments.
18. The method of claim 16 , further comprising: writing the isolate tag with write data in a write access request to the data source identified by the data source tag in the isolate tag.
This invention relates to data processing systems, specifically methods for managing data access in a computing environment. The problem addressed is ensuring secure and isolated data access operations, particularly in systems where multiple processes or users may interact with shared data sources. The method involves generating an isolate tag that includes a data source tag, which identifies a specific data source within the system. The isolate tag is used to control access to the data source, ensuring that operations are performed in an isolated manner to prevent unauthorized or unintended modifications. The method further includes writing data to the identified data source by incorporating the isolate tag into a write access request. This ensures that the write operation is properly authorized and scoped to the correct data source, enhancing data integrity and security. The isolate tag may also include additional metadata or control information to further refine access permissions or operational constraints. The write access request is processed by the system, which verifies the isolate tag before executing the write operation, thereby enforcing the isolation rules. This approach is particularly useful in multi-tenant or distributed computing environments where secure and controlled data access is critical. The method ensures that data modifications are performed in a controlled and traceable manner, reducing the risk of data corruption or unauthorized access.
19. The method of claim 16 , wherein at least two processing pipelines associated with different tenants specify different data processing services.
A system and method for managing data processing pipelines in a multi-tenant environment addresses the challenge of efficiently handling diverse processing requirements across different tenants. The invention enables multiple tenants to operate independent processing pipelines, each configured with distinct data processing services tailored to their specific needs. This approach ensures that each tenant's data is processed according to their unique requirements while maintaining isolation and security between tenants. The system dynamically assigns and configures processing services for each pipeline, allowing for flexibility in service selection and customization. By supporting different processing services across pipelines, the invention optimizes resource utilization and performance, ensuring that each tenant's data is processed efficiently without interference from other tenants. This solution is particularly useful in cloud computing environments where multiple tenants share infrastructure but require distinct processing capabilities. The method ensures scalability, security, and performance by isolating tenant-specific processing pipelines and dynamically adjusting services based on demand.
Unknown
March 24, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.